HIPAA & Medical Privacy by State (2026)

Last verified:

Source: Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. Privacy Rule: 45 C.F.R. Part 160 and Part 164, Subparts A and E. Right of access: 45 C.F.R. § 164.524. Right to amend: 45 C.F.R. § 164.526. Enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Compare by state

Statute citations are verified per state. Select a state to jump to its full section below.

Medical-privacy statute and patient rights for each U.S. state and the District of Columbia.
Primary statute
AlabamaAla. Code § 22-11A-22 — HIV/AIDS Record Confidentiality
AlaskaAlaska Health Care Information — Alaska Stat. § 18.23
ArizonaA.R.S. § 36-509 — Arizona mental health records confidentiality (consent or court order required)
ArkansasArkansas Medical Records Retention, Ark. Code § 20-9-602
CaliforniaCalifornia Civil Code § 56 — Confidentiality of Medical Information Act (CMIA)
ColoradoC.R.S. § 27-65-101 et seq. — mental health record confidentiality
ConnecticutCGS § 20-7c — Patient access to medical records
DelawareDelaware Health Information Privacy Act, 16 Del. C. § 1201 et seq.
District of ColumbiaD.C. Mental Health Information Act, D.C. Code § 7-1201.01 et seq.
FloridaFlorida Medical Records Ownership and Confidentiality, Fla. Stat. § 456.057
HawaiiHawaii Prepaid Health Care Act — HRS § 393
IdahoIdaho Code § 39-609 — HIV/AIDS test result confidentiality
Illinois740 ILCS 110 — Mental Health and Developmental Disabilities Confidentiality Act
IndianaIndiana Code § 16-39 — Indiana Health Records Act (patient access and confidentiality)
IowaIowa Code § 228 — Mental Health Records Confidentiality
KansasK.S.A. § 65-4971 — Medical Records
KentuckyKRS § 214.625 — HIV/AIDS Confidentiality
LouisianaLouisiana Medical Records Privacy Act, La. R.S. § 40:1165.1 et seq.
Maine34-B M.R.S.A. § 1207 — mental health record confidentiality
MarylandMaryland Confidentiality of Medical Records Act, MD Code, Health-General § 4-301 et seq.
MassachusettsMGL c. 111, § 70E — Massachusetts Patients' Bill of Rights (health privacy)
MichiganMichigan Mental Health Code, MCL § 330.1748 — mental health record confidentiality
MinnesotaMinn. Stat. § 144.291 — Minnesota Health Records Act
MississippiMiss. Code Ann. § 41-9-1 et seq. — Mississippi medical records access
MissouriMissouri Mental Health Records Confidentiality, RSMo § 630.140
MontanaMontana Constitution Art. II, § 10 — explicit right to individual privacy
NebraskaNeb. Rev. Stat. § 71-8401 — Health Information Technology Act
NevadaNRS 629 — Medical Records
New HampshireRSA 329:26 — NH patient medical records access
New JerseyNJ Genetic Privacy Act, N.J.S.A. 10:5-43
New MexicoNMSA § 14-6-1 — New Mexico Inspection of Public Records Act
New YorkNY Public Health Law § 18 — patient access to medical records
North CarolinaN.C. Gen. Stat. § 122C-52 et seq. — Mental health records confidentiality
North DakotaN.D. Cent. Code § 23-12 — Health Records
OklahomaOklahoma HIV Confidentiality, 63 Okl. St. § 1-502.2
OregonOregon Genetic Privacy Act — ORS § 192.531 et seq.
PennsylvaniaPennsylvania Mental Health Procedures Act — confidentiality, 50 P.S. § 7111
Rhode IslandR.I. Gen. Laws § 5-37.3 — Confidentiality of Health Care Communications and Information Act
South CarolinaS.C. Code § 44-29-135 — HIV/AIDS Record Confidentiality
South DakotaHIPAA, 42 U.S.C. § 1320d et seq.
TennesseeTCA § 33-3-103 — Mental Health Record Confidentiality
TexasTexas Medical Records Privacy Act, Tex. Health & Safety Code Ch. 181
UtahUtah Consumer Privacy Act — Utah Code § 13-61
Vermont18 V.S.A. § 1881 — Vermont health record access and privacy
VirginiaVirginia Health Records Privacy, Va. Code § 32.1-127.1:03
WashingtonWashington Uniform Health Care Information Act, RCW 70.02
West VirginiaW. Va. Code § 27-3-1 — Mental health records confidentiality
WisconsinWis. Stat. § 51.30 — Mental Health Treatment Records Confidentiality
WyomingHIPAA Privacy Rule, 42 U.S.C. § 1320d et seq.
Federal Law

What is this right?

HIPAA — passed in 1996 — was originally about insurance portability when changing jobs. The medical privacy rules everyone associates with the name came in the Privacy Rule, finalized in 2003 after years of HHS rulemaking. The basic deal: your doctor, hospital, insurer, and pharmacy cannot share your medical records, diagnoses, or test results with your employer, family, or anyone else without your written permission. You have the right to see your own records and to request corrections, with the provider required to respond within 30 days.

Narrow exceptions let providers share information for treatment, payment, and healthcare operations — your doctor can send records to a specialist who is treating you without a signed release. Outside those exceptions, unauthorized disclosures can be reported to the HHS Office for Civil Rights. Penalties scale up to $1.5 million per violation category per year for willful neglect, and the OCR has used them — Anthem paid $16 million in 2018 over a single breach.

When does it apply?

HIPAA applies when:

  • A doctor, hospital, clinic, pharmacy, or health plan has your medical information.
  • You want to see or get a copy of your records.
  • You believe your information was shared without permission.
  • You want to correct an error in your records.
  • A provider or insurer asks you to sign a Notice of Privacy Practices.

Three myths:

  • "HIPAA covers all my health info everywhere." No. HIPAA reaches covered entities and their business associates — and that is it. Your employer, your school, fitness apps, genetic testing companies (23andMe), and social media posts are all outside the law's reach.
  • "My doctor can never share without my permission." Treatment, payment, and healthcare operations are explicit exceptions. Your doctor can talk to your specialist without a signed release. Public health reporting (certain diseases, gunshot wounds) is also generally required by state law.
  • "My employer can read my medical records." Generally no — your employer is not a covered entity. The exception: if your employer runs a self-insured health plan, the plan itself has HIPAA obligations, but it should be walled off from HR decision-making.

What to Do If Your Medical Information Was Shared Without Permission

Step 1: Request your records in writing. Under 45 C.F.R. § 164.524, the provider has 30 days to respond, with one 30-day extension allowed if they give you a written reason. Most providers now offer patient portals that meet the requirement.

Step 2: Found an error? Request an amendment. 45 C.F.R. § 164.526 — the provider has 60 days. If they refuse, they must explain why, and you have the right to add a statement of disagreement to the file that travels with the record going forward.

Step 3: Read the Notice of Privacy Practices. It tells you exactly how the provider will use and share your information. You have the right to ask for additional restrictions, though the provider is not always required to agree.

Step 4: File complaints with HHS OCR within 180 days. Online at hhs.gov/hipaa/filing-a-complaint or by phone at 1-800-368-1019. The 180-day deadline runs from when you discovered the violation, with limited extensions for good cause.

Step 5: Self-pay rights. Under 45 C.F.R. § 164.522(a), if you pay for a service in full out of pocket, you can require the provider not to share information about that specific visit with your health insurer. Useful for sensitive care you want to keep off your insurance record.

What should you NOT do?

Don't assume HIPAA covers everything called "health." Health apps, wearables, genetic testing services, and most online symptom tools sit outside HIPAA. The data you share with them is governed by the company's privacy policy and your state's consumer privacy law (if any).

Don't toss the Notice of Privacy Practices. It is not legal noise — it tells you exactly what the provider will do with your data and what rights you can exercise.

Don't sign blanket authorizations without reading. A "share with anyone you deem appropriate, for any reason, indefinitely" form is not the same as a targeted release. You can limit scope, recipients, and duration, and you can revoke any authorization in writing at any time.

Don't miss the 180-day complaint window. HHS OCR can extend it for cause, but the default is hard. File as soon as you know about the violation.

State Law

Worked example

  1. ScenarioYou ask your doctor's office for a complete copy of your medical records, but weeks pass with no response.

    OutcomeUnder HIPAA, a provider must act on your access request within 30 calendar days (with one possible 30-day extension if they notify you in writing of the reason). If they don't, you can file a complaint with the HHS Office for Civil Rights — there's no fee.

    Verified against the HIPAA Privacy Rule — the 30-day access requirement (45 C.F.R. §164.524). Some states set shorter timelines or extra protections; see your state's section. Educational information, not legal or medical advice.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

See all 6 letter types →

Common Questions

Do I have a right to my own medical records?

Yes. HIPAA gives you the right to inspect and get a copy of your health information held by providers and health plans — including medical, billing, and claims records. They must respond within 30 days and can charge only a reasonable, cost-based fee for copies.

How long does a provider have to give me my records?

Generally 30 calendar days from your request. They can take one additional 30-day extension only if they notify you in writing of the reason and the new date. Many states require faster turnaround — check your state's section above.

Can my health information be shared without my permission?

HIPAA allows sharing for treatment, payment, and health-care operations, but most other disclosures — especially marketing or selling your data — require your written authorization. You can also ask for restrictions and an accounting of certain disclosures.

What can I do if my medical privacy was violated?

You can file a complaint with the HHS Office for Civil Rights, generally within 180 days of learning of the violation; it's free. HIPAA itself has no private lawsuit, but some state laws let you sue. See your state's section above.

Do state laws add to HIPAA?

Often, yes. Many states have stricter rules for sensitive records — mental-health, HIV, genetic, or substance-use information — and some give you a private right to sue. Where state law is more protective, it applies on top of HIPAA. Check your state's section above.

State-by-state details

Alabama

Primary statute: Ala. Code § 22-11A-22 — HIV/AIDS Record Confidentiality

Alabama relies primarily on federal HIPAA with limited additional state protections:

  • HIPAA applies to covered entities in Alabama
  • Alabama has confidentiality protections for HIV/AIDS records (Ala. Code § 22-11A-22)
  • Mental health records have protections under Alabama law
  • Patients have a right to access their records within 30 days under HIPAA

Alaska

Primary statute: Alaska Health Care Information — Alaska Stat. § 18.23

Alaska follows federal HIPAA regulations with additional state privacy protections:

  • HIPAA applies to all covered entities in Alaska
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days (with a possible 30-day extension)
  • Alaska Stat. § 18.23 provides additional confidentiality protections for health care information
  • Alaska's strong constitutional right to privacy (Art. I, § 22) may provide additional protections for health information

Arizona

Primary statute: A.R.S. § 36-509 — Arizona mental health records confidentiality (consent or court order required)

Arizona supplements federal HIPAA with state-specific health privacy protections:

  • HIPAA applies to covered entities operating in Arizona
  • Arizona has specific protections for mental health records under A.R.S. § 36-509 — disclosure of mental health records generally requires patient consent or a court order
  • Arizona law provides confidentiality protections for HIV/AIDS test results under A.R.S. § 36-664
  • Arizona's medical records access law (A.R.S. § 12-2293) gives patients the right to obtain copies of their medical records
  • Healthcare providers must provide records within a reasonable time and may charge a reasonable fee for copies
  • Arizona protects the confidentiality of substance abuse treatment records consistent with federal 42 C.F.R. Part 2

Arkansas

Primary statute: Arkansas Medical Records Retention, Ark. Code § 20-9-602

Arkansas follows federal HIPAA regulations:

  • HIPAA applies to all covered entities in Arkansas
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days (with a possible 30-day extension)
  • Arkansas law provides additional protections for mental health records under the Mental Health Services Act
  • Medical records must be retained for a minimum of 10 years under Arkansas regulations

California

Primary statute: California Civil Code § 56 — Confidentiality of Medical Information Act (CMIA)

Full California guide →

Colorado

Primary statute: C.R.S. § 27-65-101 et seq. — mental health record confidentiality

Colorado supplements federal HIPAA with comprehensive state health privacy protections, including the Colorado Privacy Act:

  • HIPAA applies to covered entities operating in Colorado
  • Colorado has additional protections for mental health records under CRS § 27-65-101 et seq. (mental health confidentiality)
  • CO law provides specific confidentiality protections for HIV/AIDS test results (CRS § 25-4-1404) and substance abuse treatment records
  • The Colorado Privacy Act (CRS § 6-1-1301 et seq., effective July 2023) provides broad consumer data privacy rights including health data
  • Patients have a right to access their medical records — providers must respond within 30 days
  • Colorado's data breach notification law (CRS § 6-1-716) requires notification within 30 days when health data is compromised — one of the shortest notification deadlines in the country
  • Colorado has specific genetic information privacy protections (CRS § 10-3-1104.7)

Connecticut

Primary statute: CGS § 20-7c — Patient access to medical records

Connecticut follows federal HIPAA with strong additional state privacy protections:

  • HIPAA applies to all covered entities in Connecticut
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Connecticut law provides additional protections for HIV/AIDS records, mental health records, and genetic information
  • Connecticut enacted a comprehensive data privacy law (CTDPA) that provides additional health data protections effective 2023

Delaware

Primary statute: Delaware Health Information Privacy Act, 16 Del. C. § 1201 et seq.

Delaware follows federal HIPAA regulations with some additional state protections:

  • HIPAA applies to all covered entities in Delaware
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Delaware's Health Information Privacy Act (Del. Code tit. 16, § 1201 et seq.) provides additional protections for genetic information and HIV/AIDS records
  • Delaware enacted a Personal Data Privacy Act effective 2025 with additional health data protections

Florida

Primary statute: Florida Medical Records Ownership and Confidentiality, Fla. Stat. § 456.057

Florida has state-level health privacy laws that supplement HIPAA:

  • Florida Constitution Art. I, § 23: Florida is one of the few states with an explicit constitutional right to privacy. This has been applied to protect medical information.
  • Fla. Stat. § 456.057: Governs the ownership, custody, and disclosure of patient medical records. Patients have the right to access their records, and providers must maintain confidentiality.
  • Mental health records: The Baker Act (Fla. Stat. § 394.4615) provides additional confidentiality protections for mental health records created during involuntary examination or treatment.
  • HIV/AIDS confidentiality (Fla. Stat. § 381.004(3)): Provides specific confidentiality protections for HIV test results, requiring written informed consent before disclosure.

Hawaii

Primary statute: Hawaii Prepaid Health Care Act — HRS § 393

Hawaii follows federal HIPAA regulations and has a unique employer healthcare mandate:

  • HIPAA applies to all covered entities in Hawaii
  • You have the right to access and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Hawaii's Prepaid Health Care Act (1974) requires employers to provide health insurance to employees working 20+ hours per week — the only state with such a mandate (predating the ACA)
  • This means most Hawaii workers have employer-provided insurance, giving them greater access to healthcare and related privacy protections
  • Hawaii has additional protections for HIV/AIDS-related health information (HRS § 325-101)

Idaho

Primary statute: Idaho Code § 39-609 — HIV/AIDS test result confidentiality

Idaho follows federal HIPAA regulations for health information privacy:

  • HIPAA applies to all covered entities in Idaho
  • You have the right to access and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Idaho does not have extensive additional state health privacy laws beyond HIPAA
  • Mental health records and substance abuse treatment records receive additional federal protections (42 CFR Part 2)
  • Idaho law protects the confidentiality of HIV/AIDS test results (Idaho Code § 39-609)

Illinois

Primary statute: 740 ILCS 110 — Mental Health and Developmental Disabilities Confidentiality Act

Illinois has additional health privacy protections beyond federal HIPAA:

  • Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110): Provides heightened confidentiality protections for mental health records. Requires specific written consent for disclosure, with very narrow exceptions.
  • Genetic Information Privacy Act (410 ILCS 513): Prohibits genetic discrimination in employment and insurance and provides strong confidentiality protections for genetic test results.
  • AIDS Confidentiality Act (410 ILCS 305): Provides extra confidentiality protections for HIV/AIDS-related information, requiring specific written consent for disclosure.
  • BIPA implications: The Biometric Information Privacy Act (740 ILCS 14) can apply to healthcare settings that collect biometric data (fingerprints, facial scans), providing an additional layer of privacy protection.

Indiana

Primary statute: Indiana Code § 16-39 — Indiana Health Records Act (patient access and confidentiality)

Indiana supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities operating in Indiana
  • Indiana has additional protections for mental health records under IC § 16-39-2 et seq. (confidentiality of health records)
  • IN law provides specific confidentiality protections for HIV test results (IC § 16-41-6)
  • Indiana's Health Records Act (IC § 16-39) governs patient access to and confidentiality of medical records
  • Patients have a right to access their medical records — providers must respond within 30 days
  • Indiana law limits charges for medical record copies
  • Indiana's data breach notification law (IC § 24-4.9) requires notification when health data is compromised

Iowa

Primary statute: Iowa Code § 228 — Mental Health Records Confidentiality

Iowa follows federal HIPAA regulations with some additional state protections:

  • HIPAA applies to all covered entities in Iowa
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Iowa has specific protections for mental health records (Iowa Code § 228) and substance abuse records
  • Iowa requires that patients be notified of their privacy rights upon receiving health care services

Kansas

Primary statute: K.S.A. § 65-4971 — Medical Records

Kansas follows federal HIPAA regulations:

  • HIPAA applies to all covered entities in Kansas
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Kansas law provides additional protections for mental health records and substance abuse treatment records
  • Medical records must be retained for a minimum of 10 years under Kansas regulations

Kentucky

Primary statute: KRS § 214.625 — HIV/AIDS Confidentiality

Kentucky supplements HIPAA with state health privacy protections:

  • HIPAA applies to covered entities in Kentucky
  • Kentucky has confidentiality protections for HIV/AIDS records (KRS § 214.625)
  • Mental health records have protections under KRS Chapter 210
  • Patients have a right to access records within 30 days under HIPAA

Louisiana

Primary statute: Louisiana Medical Records Privacy Act, La. R.S. § 40:1165.1 et seq.

Louisiana supplements HIPAA with state health privacy protections:

  • HIPAA applies to covered entities in Louisiana
  • Louisiana has a Medical Records Privacy Act (La. R.S. § 40:1165.1 et seq.) with additional patient protections
  • HIV/AIDS records have heightened confidentiality under La. R.S. § 40:1099
  • Mental health records have additional protections under the Mental Health Law

Maine

Primary statute: 34-B M.R.S.A. § 1207 — mental health record confidentiality

Maine follows federal HIPAA regulations with additional state protections:

  • HIPAA applies to all covered entities in Maine
  • You have the right to access and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Maine provides additional protections through MaineCare (Maine Medicaid) for enrolled individuals
  • Maine has strong mental health confidentiality protections (34-B M.R.S.A. § 1207)
  • Maine law protects the confidentiality of HIV/AIDS test results and genetic information

Maryland

Primary statute: Maryland Confidentiality of Medical Records Act, MD Code, Health-General § 4-301 et seq.

Maryland supplements federal HIPAA with comprehensive state health privacy protections:

  • HIPAA applies to covered entities operating in Maryland
  • The Maryland Confidentiality of Medical Records Act (MD Code, Health-General § 4-301 et seq.) provides additional protections beyond HIPAA
  • MD law provides specific confidentiality protections for mental health records, HIV/AIDS test results, and substance abuse treatment records
  • Patients have a right to access their medical records — providers must respond within 21 working days (stricter than HIPAA's 30 days)
  • MD law limits the fees that providers can charge for medical record copies
  • Maryland's data breach notification law (MD Code, Commercial Law § 14-3501 et seq.) requires notification when health data is compromised
  • MD has specific protections for genetic information under the MD Genetic Information Nondiscrimination Act

Massachusetts

Primary statute: MGL c. 111, § 70E — Massachusetts Patients' Bill of Rights (health privacy)

Massachusetts supplements federal HIPAA with strong state health privacy protections:

  • HIPAA applies to covered entities operating in Massachusetts
  • MA has additional protections under MGL c. 111, § 70E (Patients' Bill of Rights) granting patients the right to confidential treatment of medical records
  • MA law provides specific confidentiality protections for mental health records (MGL c. 123, § 36), HIV/AIDS status, and substance abuse treatment records
  • Patients have a right to access and copy their medical records — providers must respond within 30 days
  • MA law limits the cost of medical record copies
  • MA has a comprehensive data breach notification law (MGL c. 93H) requiring notification when health data is compromised
  • Insurance companies must comply with both HIPAA and MA-specific privacy requirements

Michigan

Primary statute: Michigan Mental Health Code, MCL § 330.1748 — mental health record confidentiality

Michigan supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities operating in Michigan
  • Michigan has specific protections for mental health records under the Mental Health Code (MCL § 330.1748 et seq.) — these records have heightened confidentiality requirements
  • HIV/AIDS test results have special protections under Michigan law (MCL § 333.5131)
  • Substance abuse treatment records are protected under both federal 42 C.F.R. Part 2 and state law
  • Patients have a right to access their medical records; providers must respond within 30 days
  • Michigan allows patients to designate a personal representative for healthcare decisions and records access

Minnesota

Primary statute: Minn. Stat. § 144.291 — Minnesota Health Records Act

Minnesota has some of the strongest health privacy protections in the nation under the Minnesota Health Records Act:

  • The Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.) provides protections beyond federal HIPAA
  • Patients must provide specific written consent before health records can be released (stricter than HIPAA's general authorization)
  • Mental health records have heightened protections under Minn. Stat. § 148B
  • Patients have a right to access their records within 30 days
  • Minnesota law provides a private right of action for health privacy violations (unlike HIPAA which has no private right of action)

Mississippi

Primary statute: Miss. Code Ann. § 41-9-1 et seq. — Mississippi medical records access

Mississippi follows federal HIPAA regulations:

  • HIPAA applies to all covered entities in Mississippi
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Mississippi does not have comprehensive additional state health privacy laws beyond HIPAA
  • Medical records must be retained by providers under professional licensing requirements

Missouri

Primary statute: Missouri Mental Health Records Confidentiality, RSMo § 630.140

Missouri supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities operating in Missouri
  • Missouri has additional protections for mental health records under RSMo § 630.140 (mental health records confidentiality)
  • MO law provides specific confidentiality protections for HIV/AIDS test results (RSMo § 191.656)
  • Substance abuse treatment records have additional protections under both state and federal law
  • Patients have a right to access their medical records under both HIPAA and MO law
  • Missouri law requires healthcare providers to release records within a reasonable time
  • Missouri's data breach notification law (RSMo § 407.1500) requires notification when health data is compromised

Montana

Primary statute: Montana Constitution Art. II, § 10 — explicit right to individual privacy

Montana follows federal HIPAA regulations and has uniquely strong constitutional privacy protections:

  • HIPAA applies to all covered entities in Montana
  • You have the right to access and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Montana's constitutional right to individual privacy (Art. II, § 10) provides additional protections for health information beyond HIPAA
  • Montana courts have interpreted this privacy right broadly to cover medical records and health data
  • Montana law provides additional confidentiality protections for mental health records and substance abuse treatment

Nebraska

Primary statute: Neb. Rev. Stat. § 71-8401 — Health Information Technology Act

Nebraska follows federal HIPAA regulations with some additional state protections:

  • HIPAA applies to all covered entities (healthcare providers, insurers, clearinghouses) in Nebraska
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days (with a possible 30-day extension)
  • Nebraska law provides additional protections for mental health records and substance abuse treatment records
  • The Nebraska Health Information Technology Act promotes secure electronic health information exchange

Nevada

Primary statute: NRS 629 — Medical Records

Nevada follows federal HIPAA with strong additional state privacy protections:

  • HIPAA applies to all covered entities in Nevada
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Nevada has enacted comprehensive health data privacy laws — SB 370 (2019) requires data brokers to comply with consumer opt-out requests
  • Nevada provides additional protections for genetic information and HIV/AIDS records

New Hampshire

Primary statute: RSA 329:26 — NH patient medical records access

New Hampshire follows federal HIPAA regulations with additional state protections:

  • HIPAA applies to all covered entities in New Hampshire
  • You have the right to access and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • New Hampshire has additional insurance protections — the NH Insurance Department regulates health insurance practices
  • NH law provides additional confidentiality protections for mental health treatment records and HIV/AIDS information
  • New Hampshire Medicaid (NH Healthy Families) provides additional privacy protections for enrolled individuals

New Jersey

Primary statute: NJ Genetic Privacy Act, N.J.S.A. 10:5-43

New Jersey provides additional health privacy protections beyond federal HIPAA:

  • NJ Patient's Bill of Rights (N.J.A.C. 8:43G-4.1): Guarantees patients the right to privacy and confidentiality of all medical records and communications. Applies to all licensed healthcare facilities in New Jersey.
  • NJ Genetic Privacy Act (N.J.S.A. 10:5-43 to -49): Prohibits genetic information from being used for employment or insurance discrimination. Genetic test results have extra confidentiality protections beyond what HIPAA provides.
  • NJ Identity Theft Prevention Act (N.J.S.A. 56:11-44): Requires notification of data breaches involving personal health information within a specific timeframe. Broader coverage than HIPAA's breach notification rule.
  • Mental health and substance abuse records: NJ has strong state-level protections for mental health records under N.J.S.A. 30:4-24.3 and aligns with federal 42 C.F.R. Part 2 protections for substance abuse treatment records.

New Mexico

Primary statute: NMSA § 14-6-1 — New Mexico Inspection of Public Records Act

New Mexico follows federal HIPAA regulations with some additional state protections:

  • HIPAA applies to all covered entities in New Mexico
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • New Mexico has additional protections for behavioral health records and substance abuse treatment records
  • The Indian Health Service (significant in NM) follows both HIPAA and additional federal tribal health privacy rules

New York

Primary statute: NY Public Health Law § 18 — patient access to medical records

New York provides additional health privacy protections through several state laws:

  • NY Public Health Law § 18: Gives patients the right to access their medical records within 10 days of a written request (faster than HIPAA's 30-day window). Providers can charge no more than $0.75 per page.
  • NY SHIELD Act (General Business Law § 899-aa): Expands data breach notification requirements to include health information. Healthcare entities must notify patients of breaches involving their health data, with stricter requirements than HIPAA's breach notification rule.
  • NY Mental Hygiene Law § 33.13: Provides extra confidentiality protections for mental health records. Mental health information has stricter disclosure rules than general medical records, requiring specific authorization for release.
  • HIV/AIDS confidentiality: NY Public Health Law Article 27-F provides exceptionally strong protections for HIV-related information, requiring specific written consent for disclosure separate from general medical record authorizations.

North Carolina

Primary statute: N.C. Gen. Stat. § 122C-52 et seq. — Mental health records confidentiality

North Carolina supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) operating in NC
  • NC has additional confidentiality protections for mental health records under N.C. Gen. Stat. § 122C-52 et seq.
  • NC law provides specific protections for HIV/AIDS test results and substance abuse records
  • Patients have a right to access their medical records under both HIPAA and NC law
  • Healthcare providers must respond to records requests within 30 days under HIPAA
  • NC law restricts disclosure of minors' health information related to certain treatments (mental health, substance abuse, STIs)

North Dakota

Primary statute: N.D. Cent. Code § 23-12 — Health Records

North Dakota follows federal HIPAA regulations with some additional state protections:

  • HIPAA applies to all covered entities in North Dakota
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • North Dakota has specific confidentiality protections for mental health, substance abuse, and genetic information records
  • N.D. Cent. Code § 23-12 provides rules for the handling and disclosure of health information

Oklahoma

Primary statute: Oklahoma HIV Confidentiality, 63 Okl. St. § 1-502.2

Oklahoma supplements HIPAA with limited state health privacy protections:

  • HIPAA applies to covered entities in Oklahoma
  • Oklahoma has confidentiality protections for HIV/AIDS records (63 Okl. St. § 1-502.2)
  • Mental health records have protections under Oklahoma Mental Health Law
  • Patients have a right to access records within 30 days under HIPAA

Oregon

Primary statute: Oregon Genetic Privacy Act — ORS § 192.531 et seq.

Oregon supplements HIPAA with state health privacy protections:

  • Oregon has a comprehensive Genetic Privacy Act (ORS § 192.531 et seq.) — one of the strongest in the nation
  • HIV/AIDS records have heightened confidentiality under ORS § 433.045
  • Mental health records have additional protections under ORS Chapter 179
  • Patients have a right to access records within 30 days
  • Oregon provides a private right of action for health information privacy violations

Pennsylvania

Primary statute: Pennsylvania Mental Health Procedures Act — confidentiality, 50 P.S. § 7111

Pennsylvania supplements HIPAA with additional health privacy protections:

  • PA Mental Health Procedures Act (50 P.S. § 7111): Provides heightened confidentiality for mental health records. Disclosure requires specific written consent, with limited exceptions for treatment emergencies.
  • Drug and Alcohol Abuse Control Act (71 P.S. § 1690.108): Provides confidentiality protections for substance abuse treatment records, aligning with federal 42 C.F.R. Part 2.
  • HIV/AIDS confidentiality (35 P.S. § 7601 et seq.): The Confidentiality of HIV-Related Information Act requires specific written consent for disclosure of HIV-related information, with criminal penalties for violations.
  • Breach notification: PA's Breach of Personal Information Notification Act (73 P.S. § 2303) requires notification of breaches involving health information.

Rhode Island

Primary statute: R.I. Gen. Laws § 5-37.3 — Confidentiality of Health Care Communications and Information Act

Rhode Island follows federal HIPAA with additional state health privacy protections:

  • HIPAA applies to all covered entities in Rhode Island
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Rhode Island's Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws § 5-37.3) provides additional protections
  • Rhode Island has specific protections for mental health, HIV/AIDS, and genetic information records

South Carolina

Primary statute: S.C. Code § 44-29-135 — HIV/AIDS Record Confidentiality

South Carolina supplements federal HIPAA with limited state health privacy protections:

  • HIPAA applies to covered entities operating in SC
  • SC has confidentiality protections for HIV/AIDS records (S.C. Code § 44-29-135)
  • Mental health records have heightened confidentiality under the SC Mental Health Act
  • Patients have a right to access their records within 30 days under HIPAA

South Dakota

Primary statute: HIPAA, 42 U.S.C. § 1320d et seq.

South Dakota follows federal HIPAA regulations:

  • HIPAA applies to all covered entities in South Dakota
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • South Dakota does not have comprehensive additional state health privacy laws beyond HIPAA
  • Medical records retention requirements follow professional licensing standards

Tennessee

Primary statute: TCA § 33-3-103 — Mental Health Record Confidentiality

Tennessee supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities operating in Tennessee
  • TN has additional protections for mental health records under TCA § 33-3-103 et seq. (confidentiality of mental health records)
  • TN law provides specific confidentiality protections for HIV/AIDS test results (TCA § 68-10-113)
  • Substance abuse treatment records have additional protections under both state and federal law
  • Patients have the right to access their medical records under both HIPAA and TN law
  • TN law requires healthcare providers to respond to records requests within 30 days
  • Tennessee's data breach notification law (TCA § 47-18-2107) requires notification when health data is compromised

Texas

Primary statute: Texas Medical Records Privacy Act, Tex. Health & Safety Code Ch. 181

Full Texas guide →

Utah

Primary statute: Utah Consumer Privacy Act — Utah Code § 13-61

Utah follows federal HIPAA with additional state privacy protections:

  • HIPAA applies to all covered entities in Utah
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Utah enacted the Utah Consumer Privacy Act (UCPA) effective December 2023, which includes provisions for health data
  • Utah has specific protections for mental health and substance abuse records

Vermont

Primary statute: 18 V.S.A. § 1881 — Vermont health record access and privacy

Vermont follows federal HIPAA with strong additional state privacy protections:

  • HIPAA applies to all covered entities in Vermont
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Vermont has enacted comprehensive health data privacy protections, including the Vermont Health Insurance Claims Database
  • Vermont Act 53 (2019) provides additional consumer health data protections

Washington

Primary statute: Washington Uniform Health Care Information Act, RCW 70.02

Washington supplements federal HIPAA with some of the strongest state health privacy protections in the nation:

  • HIPAA applies to covered entities operating in Washington
  • The Washington My Health My Data Act (2023) provides comprehensive health data privacy protections for data not covered by HIPAA — including data collected by apps, websites, and non-HIPAA-covered businesses
  • Washington has specific protections for mental health records (RCW 71.05.390) with heightened consent requirements for disclosure
  • HIV test results and substance abuse records have strict confidentiality protections
  • Washington requires patient consent before sharing health information in many situations where HIPAA alone would not require consent
  • Washington's Uniform Health Care Information Act (RCW 70.02) provides additional patient access and privacy rights

Wisconsin

Primary statute: Wis. Stat. § 51.30 — Mental Health Treatment Records Confidentiality

Wisconsin supplements federal HIPAA with state health privacy protections:

  • HIPAA applies to covered entities operating in Wisconsin
  • Wisconsin has additional protections for mental health records under Wis. Stat. § 51.30 (confidentiality of mental health treatment records)
  • WI law provides specific confidentiality protections for HIV/AIDS test results (Wis. Stat. § 252.15) and substance abuse treatment records
  • Wisconsin's Patient's Bill of Rights (Wis. Stat. § 51.61) provides comprehensive protections for individuals in mental health facilities
  • Patients have a right to access their medical records — providers must respond within 30 days
  • Wisconsin's data breach notification law (Wis. Stat. § 134.98) requires notification when personal information, including health data, is compromised

Wyoming

Primary statute: HIPAA Privacy Rule, 42 U.S.C. § 1320d et seq.

Wyoming follows federal HIPAA regulations:

  • HIPAA applies to all covered entities in Wyoming
  • You have the right to access, inspect, and obtain copies of your medical records
  • Providers must respond to records requests within 30 days
  • Wyoming does not have comprehensive additional state health privacy laws beyond HIPAA
  • Wyoming's small population and rural healthcare system mean access and privacy concerns are closely intertwined

HIPAA Privacy Rights by State

Every state has its own thresholds and procedures. Pick yours to see your state's exact rules, statutes, and local specifics.

You came here to know your rights — help someone else know theirs.

Support This Mission